• Development

  • Using GrapheneOS as a base for a consumer product

Hi there and thanks to the developers and all contributors for your amazing work on building a security and privacy focused OS for Android.

We are a startup with the aim of bringing a security hardened consumer grade afordable phone to market.

We are 100% focused of anonymity, privacy and security.

Here is an summary of the phones features/selling points

  1. Affordable Android device with fingerprint sensor (used only to keep screen alive).

  2. Secure boot process with a trusted boot loader, ensuring that only authorized and verified software is loaded during startup.

  3. Security-hardened and stripped-down version of GrapheneOS as the operating system to minimize attack vectors and provide a secure foundation.

  4. Custom security-hardened version of the Signal app as the primary communication platform, ensuring end-to-end encryption and secure messaging.

  5. Limited app installation capabilities, allowing only the pre-installed Signal app and disabling the ability to install other applications, reducing potential security risks.

  6. Encrypted storage and dedicated hardware encryption chip for enhanced data security, providing robust encryption capabilities and protecting data at rest.

  7. Physically (or by software) disconnected microphone, camera, and GPS to safeguard privacy and prevent unauthorized access or tracking.

  8. Tamper-evident physical design, making it evident if the device has been tampered with.

  9. Regular security updates and patches to address vulnerabilities and ensure ongoing protection against emerging threats.

  10. Phone ships with an anonymous SIM card, allowing users to protect their identity and maintain privacy when using cellular networks.

  11. Built-in automatic VPN for secure and anonymous internet connectivity, adding an extra layer of privacy and protection.

  12. Connects to a maximum of 2 cell towers simultaneously to prevent triangulation.

  13. Ships in a custom box including: The Phone itself, anonymous SIM card charged with 5GB of data, an instruction manual detailing the phone's features and how to request support.

We have followed the security and privacy focused operation systems for a while and landed on GrapheneOS.

We have acquired funding and have a most of the needed plans in place. We are now in the process of hiring developers.

I have thoroughly studied the GrapheneOS documentation and feature list. I do have a few questions however:

We need to disable a lot of features by default and making it impossible for the user to turn them on (maybe remove them completely from the build). Is this feasable?

Would it be feasable/manageable to keep up with your upstream repo using our stripped down version of GrapheneOS?

We need to add some features like:

  • Disabling the pattern and fingerprint sensor as a way to unlock the screen/phone

  • Implementering a strict password policy

  • Automatic complete phone wipe after 3 failed attempts

  • Panic hardware button that automatically wipes the phone

  • Automatically putting the phone in a form of airplane mode when the screen is turned off (turning of all communication services like mobile data, cell tower location requests, etc) and encrypting the phone. When the screen is unlocked and the correct password is input the phone will decrypt again and start communication services.

  • A 60 seconds screen timer that locks the screen after one minute - with the possibility to reset the timer using the fingerprint sensor

  • Custom branding of the OS

That's the most important features.

I also have a question about user profiles:

You mentioned in your Features list that

"GrapheneOS adds a toggle to the user management settings for disabling secondary user app installation. You can install the apps you want to be usable in a secondary user and then disable the ability to install more apps as that user in the Owner profile."

Does this meen that we can ship the phone with 2 profiles (with no ability to add more profiles) and that we can use the owner profile to further security harden the end user (consumer) profile to achieve some of what I listed above?

Much gratefull for any comments/ideas/answers to my questions.

    pixpot We are a startup with the aim of bringing a security hardened consumer grade afordable phone to market.

    Some of those goals sound fairly easy, some sound prohibitively expensive, and others sound impossible. Pursuing impossible goals might suggest insufficient technical advice, in which case hiring solid technical advice might be important to do soon.

    pixpot Encrypted storage and dedicated hardware encryption chip for enhanced data security, providing robust encryption capabilities and protecting data at rest.

    Building one's own "dedicated hardware encryption chip" is a mixture of prohibitively expensive and unwise. I believe that using somebody else's, at present, means getting one less good than Google's or Apple's.

    pixpot Phone ships with an anonymous SIM card, allowing users to protect their identity and maintain privacy when using cellular networks.

    What does "anonymous SIM card" mean? Can you provide an example?

    pixpot Connects to a maximum of 2 cell towers simultaneously to prevent triangulation.

    Physics doesn't work that way. Any time a phone transmits, every tower that can hear it can estimate distance (and angle) if it chooses. Combining more such estimates improves the position estimate, in a way which is not controlled by the mobile device. Cellular networks are fundamentally tracking networks. Device firmware tweaks at the margins don't change the fundamental nature of cellular networks.

              • [deleted]

              • Post #3

              pixpot Limited app installation capabilities, allowing only the pre-installed Signal app and disabling the ability to install other applications

              Wouldn't that make your device pretty useless? Even enterprises at least let their employees download third-party apps

                  • [deleted]

                  • Post #4
                  • Edited

                  pixpot Built-in automatic VPN for secure and anonymous internet connectivity

                  Please note that VPNs never provide 'Anonymity', they can at most only provide Privacy.

                  pixpot We need to disable a lot of features by default and making it impossible for the user to turn them on (maybe remove them completely from the build). Is this feasable?

                  I think you should not prevent users from Enabling/disabling the following:

                  1. Native code debugging - Many banking apps enforce weak checks and use some random runtime self-protection solutions, so you'll need to let users enable this.
                  2. Exploit Protection compatibility mode (This is a per-app setting) - Many apps can have memory corruption bugs, like Games and even Banking/Financial apps; hardened_malloc does not like to play nice with memory corruption, therefore users should be able to Exploit protection compatibility mode.
                  3. Secure App spawning - Some user reported that their phone was being heated because of this, so maybe the option to Disable this feature can be shifted to develoer options?

                  Also note that many banking apps enforce Play Integrity API's MEETS_DEVICE_INTEGRITY, which is more of a integrity/compatibility check rather than security check, So users using your device may not be able to use their banking apps; You would have to convince the Bank(s) to support your device.

                        • [deleted]

                        • Post #5

                        If this was a legitimate company, even a startup, with a serious interest, they would contact developers through a valid official channel, not via forum.

                          [deleted] We are inte the process of choosing OS and hiring developers. As the CTO I'm tasked with evaluation of different OS options.

                              If this is a hardware product (ie not installing a new OS on an existing phone), you first need to establish a supply chain with somebody who will sell you phone SoCs (unless you have a >$100m to make your own). That will limit the field very considerably.

                              I know MediaTek is a bit more friendly to small volume OEMs compared to say Qualcomm (and forget about Apple or Google). But MTK is terrible about keeping their software stack up to date, so any kind of support lifetime goes out the window.

                              The other option is a non phone SoC (Rockchip, Allwinner,NXP) plus a separate modem which is what the PinePhone does (crudely). But there you have to craft more of your own OS/driver stack, you aren’t getting it on a plate like MediaTek or Qualcomm give you. And you can’t reuse much from those.

                              And this just gets you an Aliexpress grade phone running bare AOSP, with a lot more hardware/software engineering to get even level with the current state of the market.

                              The other way is to go to Shenzhen, take whatever cookie cutter phone platform they have to offer (MTK or worse), and then deal with supporting it better than the manufacturer. That’s what Fairphone do (with abandoned Qualcomm silicon) but they can’t fix vulnerabilities in their binary blobs.

                              Any way you do it it’s hard, very hard.

                                I'm not sure about the legal implications, but wouldn't it be possible for you to fork GrapheneOS under OSI license and rebrand it (as wished by GOS: https://grapheneos.org/faq#copyright-and-licensing)? Let's say you call it SuperSimpleSecure OS and do the adjustments you mentioned, put it on a Pixel 6a or 7a and take care of future updates. It's likely not as simple as I make it sound, but this would solve like 95% of what you're looking for. Panic hardware button could maybe be a repurposed Emergency SOS shortcut (press power button 5 times).

                                Again: I have no idea about the legal background of this and which AOSP and GOS licenses have to be followed. Maybe somebody else can elaborate further.

                                  Foggy Thanks for the the reply. We are not builing the phone itself. We are going to use new (if we can get them) or refurbished Pixel phones (or possibly another existing low cost phone supported by GrapheneOS)

                                    N1b Yes. That is basically what we are doing. The problem is how we can handle upstream updates and security patches/fixes, etc

                                      de0u

                                      Thank you for your comments.

                                      de0u Building one's own "dedicated hardware encryption chip" is a mixture of prohibitively expensive and unwise. I believe that using somebody else's, at present, means getting one less good than Google's or Apple's.

                                      Yes. We have realized that this is not feasable and we will go with the phones (probably a Pixels) built in encryption utilizing a combination of hardware and software-based encryption mechanisms to secure data on the device and make use of the device's main processor (CPU) to handle encryption and decryption operations (the way the phone handles this by default )

                                      de0u What does "anonymous SIM card" mean? Can you provide an example?

                                      Absolutely. The phones is shipped with an anonymous sim card that is not registered to any person or company. It can still be used like a regular prepaid sim card but no name is connected to the sim card.

                                      de0u Physics doesn't work that way. Any time a phone transmits, every tower that can hear it can estimate distance (and angle) if it chooses. Combining more such estimates improves the position estimate, in a way which is not controlled by the mobile device. Cellular networks are fundamentally tracking networks. Device firmware tweaks at the margins don't change the fundamental nature of cellular networks.

                                      Yes, you are probably right. If there is any other way to make "triangulation" estimating a location of a phone more difficult please share what you know about it.

                                      • de0u replied to this.

                                                [deleted]

                                                [deleted] Wouldn't that make your device pretty useless? Even enterprises at least let their employees download third-party apps

                                                No, on the contrary this is an extremely important security feature for us. Allowing installation of third part pass open upp multiple attack vectors and is a huge security issue.

                                                Our users are extremely sensitive to anonymity and privacy (think journalists under repressive governments).

                                                      [deleted] Native code debugging - Many banking apps enforce weak checks and use some random runtime self-protection solutions, so you'll need to let users enable this.

                                                      Since we are not allowing users to install any other apps this should not be an issue right?

                                                      [deleted] Also note that many banking apps enforce Play Integrity API's MEETS_DEVICE_INTEGRITY, which is more of a integrity/compatibility check rather than security check, So users using your device may not be able to use their banking apps; You would have to convince the Bank(s) to support your device.

                                                      See above answer. No other apps then the security hardened version of signal is installed and no other apps can be installed by the user.

                                                      Think of the product as strictly a secure communication device where users can send messages (and use voice in a future update).

                                                      Everything not required for this should be disabled by default and hidden/removed from the OS (depending on what is most manageable when keeping up with the upstream branch).

                                                      Any ideas, comment och other thoughts are much appreciated.

                                                            • [deleted]

                                                            • Post #15

                                                            pixpot how many of such devices are you aiming to redistribute roughly? Straight question. Straight answer.

                                                                de0u What does "anonymous SIM card" mean? Can you provide an example?

                                                                pixpot Absolutely. The phones is shipped with an anonymous sim card that is not registered to any person or company. It can still be used like a regular prepaid sim card but no name is connected to the sim card.

                                                                I am skeptical that it is possible to have SIM cards that will be recognized by cellular carriers without being registered to "any person or company". If that is possible, can you provide an example of some company or organization that is offering those today?

                                                                    pixpot If there is any other way to make "triangulation" estimating a location of a phone more difficult please share what you know about it.

                                                                    I'm afraid that what you (and many others) want is in opposition to not only physics but also economics.

                                                                    Wireless data sure is convenient! But in the universe we inhabit, radio has certain inconvenient properties. High-frequency RF is great for carrying lots of bits per second, but it's shorter-range and more easily locateable. Lower-frequency RF is harder to pinpoint but can't carry lots of data.

                                                                    People could spend hundreds of billions of dollars to build high-speed wireless networks with pretty good anonymity, but those networks would be immediately and continuously abused by griefers, so it's not likely that people will spend money that way.

                                                                    If your business model is "pay us extra for a seriously locked-down phone", that could be implemented, though it's not immediately obvious who would want one. But if your business model is "pay us extra for a phone that enables you to use a cellular tracking network except without tracking", I agree that sounds cool but suspect it isn't going to happen any time soon. Maybe eventually somebody will invent quantum entanglement communication devices, and cellular microwave networks will fall into disuse, but I'm not holding my breath.

                                                                      • [deleted]

                                                                      • Post #20

                                                                      All I can tell you is, I am one of those privileged to use Graphene OS (while stock lasts). I would not change it for the world, even though AOSP keyboard gives me grief and that is a fact.

                                                                        [deleted] We are starting with a prototype of course. But then we have pre orders for 200 units.

                                                                        After that we will see